BetaNews: Adobe recognizes major Flash vulnerability, will patch it today

The recent hack on the Italian software surveillance firm Hacking Team was partially done through a vulnerability in Flash, and now Adobe is working in fifth gear, trying to release a fix as soon as possible.

➤ CVE-2015-5119 [Adobe Security Bulletin via Techcrunch]. As a reminder, Hacking Team is the infamous outfit that supplies USA law enforcement and various governments around the world with digital spying tools.

Zero day vulnerabilities are flaws that are found and targeted by hackers before they are discovered by security professionals.

Researchers at Trend Micro also detected the exploit circulating in the wild, but noted that the Hacking Team code leveraged a trick that was first observed during Pwn2Own earlier this year.

“This is one of the fastest documented cases of an immediate weaponization in the wild, possibly thanks to the detailed instructions left by Hacking Team”, researchers from security firm Malwarebytes said in a blog post.

Exploit kits are attack tools commonly traded on underground online black markets that let criminals, who may not have strong computer skills, mount cyber attacks. The Register reports that some source code contained within the leak includes software vulnerabilities that are being exploited by Hacking Team to break into PCs. Combined with the Adobe Flash exploit, it’s a powerful way to hijack a PC. Unsafe forms of ransomware like CryptoWall also encrypt files stored on the victim machine’s hard drive.

Symantec warned on Tuesday that “it can be expected that groups of attackers will rush to incorporate it into exploit kits before a patch is published by Adobe”. Adobe recommends customers install the update as soon as possible.

Until the Adobe update is released and installed, users are advised to enable the click-to-play feature in browsers that support it, like Google Chrome and Mozilla Firefox, or to disable the Flash Player plug-in in their browser.